Context Navigation

← Previous Change
Next Change →

JITStubs.cpp

Timestamp:

Nov 2, 2009, 10:49:42 PM (16 years ago)

Author:

Message:

REGRESSION (r48573): JSC may incorrectly cache chain lookups with a dictionary at the head of the chain
https://bugs.webkit.org/show_bug.cgi?id=31045

Reviewed by Gavin Barraclough.

Add guards to prevent caching of prototype chain lookups with dictionaries at the
head of the chain. Also add a few tighter assertions to cached prototype lookups
to catch this in future.

File:

: 1 edited

trunk/JavaScriptCore/jit/JITStubs.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JavaScriptCore/jit/JITStubs.cpp

-              r50109
+              r50443
         JIT::patchGetByIdSelf(codeBlock, stubInfo, structure, slot.cachedOffset(), returnAddress);
+        return;
+    }
+    if (structure->isDictionary()) {
+        ctiPatchCallByReturnAddress(codeBlock, returnAddress, FunctionPtr(cti_op_get_by_id_generic));
         return;
+    }

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 50443 in webkit for trunk/JavaScriptCore/jit/JITStubs.cpp

Legend:

trunk/JavaScriptCore/jit/JITStubs.cpp

Download in other formats: